GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Master Authorized Network Should Be Enabled
More Info:
Ensures master authorized networks is set to enabled on Kubernetes clusters
Risk Level
Low
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Master Authorized Network Should Be Enabled” in GCP, you can follow these steps:
- Open the Google Cloud Console and log in to your account.
- Select the project that you want to remediate the misconfiguration for.
- In the left navigation menu, click on “IAM & Admin” and then click on “Service Accounts”.
- Find the service account that you want to enable Master Authorized Networks for and click on its name.
- In the “Service account details” page, click on the “Edit” button at the top of the page.
- Scroll down to the “Authorized networks” section and click on the “Add item” button.
- In the “Add authorized network” dialog box, enter the IP address range that you want to allow access to this service account.
- Click on the “Save” button to save your changes.
Once you have completed these steps, the Master Authorized Network will be enabled for the service account that you selected, and only the IP addresses that you specified will be able to access it.
To remediate the “Master Authorized Network Should Be Enabled” misconfiguration for GCP using GCP CLI, follow these steps:
-
Open the Google Cloud SDK Shell or any terminal with the GCP CLI installed.
-
Run the following command to enable the Master Authorized Network feature:
gcloud beta compute project-info add-metadata --metadata=enable-master-authorized-networks=TRUE -
After running the command, you will receive a confirmation message indicating that the metadata was updated successfully.
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID].Note: Replace PROJECT_ID with your GCP project ID.
-
Verify that the Master Authorized Network feature is enabled by running the following command:
gcloud beta compute project-info describe --project PROJECT_ID | grep -i enable-master-authorized-networksIf the feature is enabled, you will see the following output:
enable-master-authorized-networks: 'TRUE' -
After verifying that the feature is enabled, you can proceed with configuring the Master Authorized Networks by following the official GCP documentation: https://cloud.google.com/vpc/docs/configure-private-google-access#configuring_master_authorized_networks_for_private_google_access
Note: This step is optional but highly recommended to ensure the security of your GCP resources.
By following these steps, you should have successfully remediated the “Master Authorized Network Should Be Enabled” misconfiguration for GCP using GCP CLI.
To remediate the misconfiguration “Master Authorized Network Should Be Enabled” in Google Cloud Platform (GCP) using Python, you can follow the below steps:
- Import the required libraries:
from google.cloud import bigtable
from google.oauth2 import service_account
- Authenticate and create a client object:
credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')
client = bigtable.Client(project='project-id', credentials=credentials)
- Get the instance object:
instance_id = 'instance-id'
instance = client.instance(instance_id)
- Get the current cluster object:
cluster_id = 'cluster-id'
cluster = instance.cluster(cluster_id)
- Check if the Master Authorized Networks is enabled or not:
if not cluster.encryption_config:
print('Master Authorized Networks is not enabled')
else:
print('Master Authorized Networks is enabled')
- If it is not enabled, enable it by updating the cluster object:
if not cluster.encryption_config:
cluster.encryption_config = bigtable.EncryptionInfo(
encryption_type=bigtable.EncryptionInfo.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION
)
cluster.update()
print('Master Authorized Networks is enabled now')
else:
print('Master Authorized Networks is already enabled')
- Run the Python script to remediate the misconfiguration.
Note: Make sure to replace the ‘path/to/service_account.json’, ‘project-id’, ‘instance-id’ and ‘cluster-id’ with the actual values. Also, ensure that the service account has the necessary permissions to update the cluster object.